[PATCHES] Support IPA sudo schema
by Pavel Březina
Hello list,
the support of IPA sudo schema is almost complete. The only thing that
remains is to finish smart refresh implementation and one patch to
reduce code duplication between LDAP and IPA implementation. Then I need
to run some tests but I don't expect much troubles here since I tested
it a lot during development. I'll finish all of this after my Christmas
vacation.
The patches are probably too big to be sent as an attachment, so until I
complete the last two patches, you can check it on my git repo, branch
sudo [1]. I don't really expect anyone to review them during Christmas
break, but I thought it's a good thing to present if in case someone
will get really bored from all the candies and family visits :-)
Happy reviewing.
[1] https://fedorapeople.org/cgit/pbrezina/public_git/sssd.git/log/?h=sudo
8 years, 3 months
SSSD: User found in AD but authentication fails
by mferon
Hello all.
I'm trying to setup a ldap against AD authentication. I've installed
SSSD 1.12.4
OS: Red Hat Enterprise Linux Server release 6.2 (Santiago)
In the logs, my search brings back the user but the final result fails
in not found.
for testing I use 'id WXYZ123'
A ldapsearch works fine.
I've tried to set ldap_id_mapping = false to true but the request is
completed with a ((null=*)) AND condition => so it fails each time
I've already spent 5 days and getting crazy. I've googled a lot but
don't found any answer, except the
https://fedorahosted.org/sssd/ticket/2666 ticket.
A great thanks to any help you could bring to me
Happy new year!
PS: I'm french and didn't practice english writing for a long time,
sorry :) )
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_print_server]
(0x2000): Searching XXX.XXX.XXX.XXX
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x0400): calling ldap_search_ext with [(&
(sAMAccountName=WXYZ123)(objectclass=user)(sAMAccountName=*)(&
(objectSid=*)(!(objectSid=0))))]
[OU=RessLocales,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr].
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectClass]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sAMAccountName]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [userPassword]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectSid]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [objectGUID]
[...]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x1000): Requesting attrs: [sshPublicKey]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_ext_step] (0x2000): ldap_search_ext called, msgid = 3
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_id_op_connect_done] (0x4000): caching successful connection after
1 notifies
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[be_run_unconditional_online_cb] (0x4000): List of unconditional online
callbacks is empty, nothing to do.
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result]
(0x2000): Trace: sh[0x10d8800], connected[1], ops[0x10e5d90],
ldap[0x10d51d0]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result]
(0x2000): Trace: sh[0x10d8800], connected[1], ops[0x10e5d90],
ldap[0x10d51d0]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_ENTRY]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_entry]
(0x1000): OriginalDN: [CN=FERON
Matthieu,OU=Utilisateurs,OU=MainOU,OU=RessLocales,DC=corp,DC=log,DC=intr
a,DC=mydomain,DC=fr].
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectClass]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [cn]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [memberOf]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectGUID]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [userAccountControl]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [objectSid]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [accountExpires]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [sAMAccountName]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_parse_range]
(0x2000): No sub-attributes for [modifyTimeStamp]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result]
(0x2000): Trace: sh[0x10d8800], connected[1], ops[0x10e5d90],
ldap[0x10d51d0]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_message]
(0x4000): Message type: [LDAP_RES_SEARCH_RESULT]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_generic_op_finished] (0x0400): Search result: Success(0), no
errmsg set
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_search_user_process] (0x0400): Search for users, returned 1
results.
Great, I found myself!
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_search_user_process] (0x4000): Retrieved total 1 users
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [ldb] (0x4000): start
ldb transaction (nesting: 0)
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_save_user]
(0x0400): Save user
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_attrs_get_sid_str] (0x1000): No [objectSID] attribute. [0]
[Success]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_save_user]
(0x4000): objectSID: not available for user
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]]
[sdap_get_primary_name] (0x0400): Processing object XORC529
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_save_user]
(0x0400): Processing user XORC529
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [ldb] (0x4000): commit
ldb transaction (nesting: 0)
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_get_users_done]
(0x4000): Saving 1 Users - Done
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_id_op_done]
(0x4000): releasing operation connection
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [acctinfo_callback]
(0x0100): Request processed. Returned 0,0,Success
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result]
(0x2000): Trace: sh[0x10d8800], connected[1], ops[(nil)],
ldap[0x10d51d0]
(Mon Jan 18 10:42:07 2016) [sssd[be[laposte.fr]]] [sdap_process_result]
(0x2000): Trace: ldap_result found nothing!
Whu ??
(Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_dispatch]
(0x4000): dbus conn: 0x10c2670
(Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_dispatch]
(0x4000): Dispatching.
(Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]] [sbus_message_handler]
(0x4000): Received SBUS method [ping]
(Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]]
[sbus_get_sender_id_send] (0x2000): Not a sysbus message, quit
(Mon Jan 18 10:42:13 2016) [sssd[be[laposte.fr]]]
[sbus_handler_got_caller_id] (0x4000): Received SBUS method [ping]
Here is my sssd.conf
[sssd]
config_file_version = 2
reconnection_retries = 3
sbus_timeout = 30
services = nss, pam
domains = mydomain.fr
[nss]
filter_groups = root
filter_users = root
reconnection_retries = 3
[pam]
reconnection_retries = 3
[domain/mydomain.fr]
debug_level = 0x7700
cache_credentials = False
id_provider = ldap
auth_provider = krb5
chpass_provider = krb5
access_provider = ldap
ldap_uri = ldap://XXX.XXX.XXX.XXX
ldap_id_mapping = false
ldap_schema = rfc2307bis
ldap_referrals = False
ldap_search_base =
OU=RessLocales,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr
ldap_user_search_base =
OU=RessLocales,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr
ldap_user_object_class = user
ldap_group_search_base =
OU=Users,DC=corp,DC=log,DC=intra,DC=mydomain,DC=fr
ldap_group_object_class = group
ldap_user_name = sAMAccountName
ldap_user_uid_number = objectSid
ldap_user_gid_number = objectGUID
ldap_user_home_directory = unixHomeDirectory
ldap_user_member_of = memberOf
ldap_access_order = expire
ldap_account_expire_policy = ad
ldap_force_upper_case_realm = True
ldap_id_use_start_tls = False
ldap_user_member_of = memberOf
ldap_default_bind_dn =
CN=AllowedToBindUSer,OU=Services,OU=OtherOU,OU=Applications,DC=corp,DC=l
og,DC=intra,DC=mydomain,DC=fr
ldap_default_authtok_type = password
ldap_default_authtok = MySecretPassword
ldap_tls_cacertdir = /etc/openldap/cacerts
My krb5.conf
[logging]
default = FILE:/var/log/krb5libs.log
kdc = FILE:/var/log/krb5kdc.log
admin_server = FILE:/var/log/kadmind.log
[libdefaults]
default_realm = MYDOMAIN.FR
dns_lookup_realm = false
dns_lookup_kdc = false
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = true
[realms]
MYDOMAIN.FR = {
kdc = XXX.XXX.XXX.XXX
admin_server = XXX.XXX.XXX.XXX
}
[domain_realm]
.mydomain.fr = MYDOMAIN.FR
mydomain.fr = MYDOMAIN.FR
8 years, 3 months
[PATCHES] Replace monitor pings with in process watchdog
by Simo Sorce
The attached patches implement a service watchdog based on timers and a
custom SIGRT signal (of which there are 30/32 available to use) and
removes the ping based solution.
In case a child gets stuck in a tevent loop the timer will eventually
kill it (in 30 sec. by default) and the monitor will catch the child has
terminated (via SGICHLD) and restart it. This makes the ping based
infrastructure obsolet so the monitor now stops setting it up.
In order to avoid changes to the dbus interface the ping method is still
in places for responders/providers, but simply never invoked.
Resolves:
https://fedorahosted.org/sssd/ticket/2921
--
Simo Sorce * Red Hat, Inc * New York
8 years, 3 months